The word virus gets thrown around a lot but...

[MacBoobsPro]

My cousin has an iMac, he's not the most computer literate but he's not an idiot either.

Last week his googlemail password and facebook password got changed and he was locked out of both. Because his email was locked out we couldn't reset his facebook password until we sorted his email. It took a lot of effort to figure it out but eventually I got it sorted by giving some bloke at Google the answer to some easy questions and the password was reset.

Everything was fine.

Today I get a call saying his email password has changed again (different password from before) and now his hotmail account (set up as a back up) has been hacked too. His Facebook profile is fine and Im thinking thats because we had to jump through hoops to reset the password for it and the hacker doing all this crap can't be bothered. The googlemail password reset by google was easily sorted by answering a few simple questions so my guess is whoever is doing this did the same thing to rehack it.

My cousin says he has not let anyone onto his computer, he doesnt use his googlemail etc on public computers and he is on a wired internet connection.

The only things I can think of are:
1. that someone has had access to his computer at some point and wants to piss him off for some reason. However they must be really pissed at him as they have now cracked his password since we changed it.

2. There is a remote hacker, literally hacking and tracking his mac and watching what he does on screen.

3. Or there is a virus or trojan that is tracking and changing his stuff (for what gain Im not sure) but I am not aware of any on the mac that can do this.


What do you guys think is going on? There is a little side story here but I wont mention it until I get a few answers as it may sway the replies to the question.

Intriguing isn't it?

UPDATE: His facebook has now gone too.

[r.j.s]

Someone either has access to the machine or the network.

[MacBoobsPro]

Quote:

Originally Posted by r.j.s

Someone either has access to the machine or the network.

Its a wired network straight to his Mac and he lives on his own. Why do you say this?

[r.j.s]

Quote:

Originally Posted by MacBoobsPro

Its a wired network straight to his Mac and he lives on his own. Why do you say this?

Unless there is someone social engineering him, this makes the most sense if it happened after the password was changed.

There are keyloggers for the Mac, is it possible that someone installed one on his machine?

[MacBoobsPro]

Quote:

Originally Posted by r.j.s

Unless there is someone social engineering him, this makes the most sense if it happened after the password was changed.

There are keyloggers for the Mac, is it possible that someone installed one on his machine?

I doubt theres any social engineering going on as after the other day he has battened down the hatches but it has still been cracked.

It is possible a keylogger is on there after downloading something, but what does changing his facebook and email passwords give the keylogger writer? Keyloggers are supposed to be stealthy but changing the password just tells him something is not right.

[harperjones99]

Were his passwords the same or obvious? It doesn't take much to find all of someone's emails and sites if they use the same name too. I don't think two public sites being compromised means his actual computer is compromised. You said he is not using wireless and nobody else has access to the machine so it makes the most sense that someone was able to get into one thing and use this info to get into more.

If he ever logged into either of those on a public network or someone else's computer there is an opportunity for them to get log in info also.

[MacBoobsPro]

Quote:

Originally Posted by harperjones99

Were his passwords the same or obvious? It doesn't take much to find all of someone's emails and sites if they use the same name too. I don't think two public sites being compromised means his actual computer is compromised. You said he is not using wireless and nobody else has access to the machine so it makes the most sense that someone was able to get into one thing and use this info to get into more.

Originally his email and facebook were the same and easily cracked if you knew him. Since then we created a new more cryptic password and it too got cracked. However his hotmail password was totally different and that has now gone too.

[r.j.s]

Quote:

Originally Posted by MacBoobsPro

I doubt theres any social engineering going on as after the other day he has battened down the hatches but it has still been cracked.

If he was socially engineered, changing just the password wont do much, as you said, the security questions are the same.

Quote:

It is possible a keylogger is on there after downloading something, but what does changing his facebook and email passwords give the keylogger writer? Keyloggers are supposed to be stealthy but changing the password just tells him something is not right.

Keyloggers often send their logs to the writer. So, when the hacker gets a file from the machine with:
www.gmail.com
username
password

They've got the new password. If the machine is compromised that way, changing the password will not help.

Quote:

Originally Posted by MacBoobsPro

Originally his email and facebook were the same and easily cracked if you knew him. Since then we created a new more cryptic password and it too got cracked. However his hotmail password was totally different and that has now gone too.

Keylogger makes more sense here.

I'd try something like Little Snitch to see what traffic is going out.

[MasterDev]

Could have been phished... And it could have been good to a point where he didn't know it was a bad site.

Also, his Facebook email address is probably the hotmail one, so usually they try the email address they have and that password on multiple popular social networking sites.

EDIT: Posted to late...

Anyways, I agree with r.j.s... Check to see what exactly is going on in the network.

[MacBoobsPro]

Quote:

Originally Posted by r.j.s

If he was socially engineered, changing just the password wont do much, as you said, the security questions are the same.



Keyloggers often send their logs to the writer. So, when the hacker gets a file from the machine with:
www.gmail.com
username
password

They've got the new password. If the machine is compromised that way, changing the password will not help.

Hmmm.... that is interesting (and disconcerting). But why change them? Why not just use them to access his bank details etc? This is what confuses me.

[thegoldenmackid]

Keylogger would be my guess. Any other strange things going on besides internet passwords?

[r.j.s]

Quote:

Originally Posted by MacBoobsPro

Hmmm.... that is interesting (and disconcerting). But why change them? Why not just use them to access his bank details etc? This is what confuses me.

By changing them, they have locked him out of his life, by not being able to get into email accounts that he uses to manage different things, he cannot see what they are doing, and cannot do anything about it. It's a distraction.

They may have accessed bank details (or are planning to).

By the time he gets back into the email, the real damage is done, all he can do is sit and look at the remains.

[cjmillsnun]

My guess is that he is entering passwords "in the clear"

if you're on a site that requires a username or password make sure that the prefix is https:// and that you have the padlock on the status bar (firefox) or the top right hand corner (safari).

[r.j.s]

You said there was other information that might be useful, what is it?

[MacBoobsPro]

Quote:

Originally Posted by r.j.s

You said there was other information that might be useful, what is it?

Well he has recently split with his girlfriend. It wasn't a totally amicable split but it wasn't bad either. If she had accessed his computer at some point and it slipped his mind when I asked him about her using it (as far as he knows she didnt) she could be doing it to piss him off. But being grown adults its not something that you would expect to happen.

The reason I didnt mention this before is because everyone would say that is what it is and not offer any possible alternatives. I am quite sure its not her as to keep trying to hack his passwords after we changed them takes a bit of work for no real benefit for her.

Its all a bit strange.

I'll be wiping his mac tomorrow and reinstalling everything and creating new accounts for him (each with there own passwords). I'll also give him the 101 on online security.

Any more possibilities it could be I'd like to hear them to try and stop this happening again.

[r.j.s]

I don't think it would be the ex, after the password change.

[ViViDboarder]

Quote:

Originally Posted by MacBoobsPro

Well he has recently split with his girlfriend. It wasn't a totally amicable split but it wasn't bad either. If she had accessed his computer at some point and it slipped his mind when I asked him about her using it (as far as he knows she didnt) she could be doing it to piss him off. But being grown adults its not something that you would expect to happen.

The reason I didnt mention this before is because everyone would say that is what it is and not offer any possible alternatives. I am quite sure its not her as to keep trying to hack his passwords after we changed them takes a bit of work for no real benefit for her.

Its all a bit strange.

I'll be wiping his mac tomorrow and reinstalling everything and creating new accounts for him (each with there own passwords). I'll also give him the 101 on online security.

Any more possibilities it could I'd like to here them to try and stop this happening again.

Probably checked for this already, but make sure there is no hardware keylogger as well. Anything plugged into the USB that you don't recognize?

[MacBoobsPro]

Quote:

Originally Posted by ViViDboarder

Probably checked for this already, but make sure there is no hardware keylogger as well. Anything plugged into the USB that you don't recognize?

I havent seen it but I very much doubt that as he lives on his own and would of spotted it if something random was hanging out of his mac.

[ViViDboarder]

Ok. As far as checking if there is anything on the computer sending data like a trojan or a hacker try using a firewall. Set it to strict so that it asks you about every app that wants internet access. If anything you don't know comes up then you've found it. Also, go to Settings>Sharing and make sure you have all remote accesss options turned off. Assuming your friend doesn't SSH, RSH or VNC to his Mac.

[MacBoobsPro]

Quote:

Originally Posted by ViViDboarder

Ok. As far as checking if there is anything on the computer sending data like a trojan or a hacker try using a firewall. Set it to strict so that it asks you about every app that wants internet access. If anything you don't know comes up then you've found it. Also, go to Settings>Sharing and make sure you have all remote accesss options turned off. Assuming your friend doesn't SSH, RSH or VNC to his Mac.

Everything will be default Leopard settings with regards to sharing and security etc. I installed Leopard for him from scratch around 2 years ago and he wouldnt know where to start and is not willing to go into those preferences anyway.

I set the Safari 'open safe files' to off as its on by default.

This is why I'm stumped. However it is likely he installed something (giving it his password along the way). I'll be putting Snow Leopard on it for him and I'll tell him what to be aware of on the net.

[topmounter]

Gmail always uses HTTPS for the login even when you go to http://mail.google.com. You can also login using https://mail.google.com and all of your traffic is encrypted, not just the login.

Facebook does NOT use HTTPS by default for the login, unless you specifically type https://www.facebook.com. So it is plausible that someone managed to poach his Facebook username and password somewhere along the line.

I don't know what the options are with Hotmail, but surely they use HTTPS by default for the login process.

And when you say "Its a wired network straight to his Mac", does that mean he has his own cable or dsl modem? I just wanted to make sure he didn't live in an apartment complex that was wired for Ethernet and included Internet access free in the rent.

I always hear these "keylogger" accusations, but how often is the culprit actually a keylogger?

edit... I'd also make sure he had a login password setup, just in case someone has a key to his place (previous resident, property manager, etc.) and they're accessing the computer directly.

[angelwatt]

Quote:

Originally Posted by ViViDboarder

Ok. As far as checking if there is anything on the computer sending data like a trojan or a hacker try using a firewall. Set it to strict so that it asks you about every app that wants internet access. If anything you don't know comes up then you've found it.

That wouldn't really help. The firewall is about blocking things from coming in, not going out. LittleSnitch blocks things from going out. Though, even LittleSnitch may not detect a key logger sending data out depending on its sophistication.

There's a potential a key logger was installed after calling for a phishing scam or the potential trojan got onto his machine. This would be able to account for the hacker knowing the new account info. That said, I doubt it's a key logger issue. One possibility is that they are taking an advantage of some Hotmail or Facebook weakness to steal people's info when logging in.

I generally setup a local SSH tunnel as a SOCKS proxy for all of my web traffic so everything is encrypted. It's not the easiest thing to setup for casual users though.

[aristobrat]

Quote:

Originally Posted by topmounter

edit... I'd also make sure he had a login password setup, just in case someone has a key to his place (previous resident, property manager, etc.) and they're accessing the computer directly.

That's kind of what I was thinking, too. IIRC, even if he's creating new passwords for his websites, if they're being stored in his Mac's keychain, anyone that knows his Mac's password can view the website passwords.

It's obvious this isn't just random hacking, ... someone's really making his life miserable.

NPR ran a story the other week about how for $100 or so, "websites" can give you just about anyone's gmail password. Essentially, the hacker does brute force guessing via IMAP/POP3, which apparently doesn't lock the account after so often.

Quote:

CONAN: And in any case, this was a woman who was being brought up on charges. Well, it turned out that she had been a woman spurned and had hacked into her boyfriend's email account.

Mr. JACKMAN: She had, in fact, done that. Actually, she hadn't hacked into it. She'd hired somebody to do it, and that was what was interesting to me, is that there are these concerns, these businesses out there, probably overseas, who say that for Web-based email, you give them a $100, and they will give you the password of whatever email address you want. And off she went from there. She hacked - she purchased the password for her boyfriend, then she purchased the password for his wife, then she purchased a password for his other girlfriends and then for his kids, and from there started harassing him and the feds got involved.

The whole interview is here. Neat read.
http://www.npr.org/templates/story/s...ryId=112679747

[MacBoobsPro]

So to continue the story, I went round Saturday, wiped his computer and reinstalled everything from scratch. We created brand new accounts for everything with brand new and much stronger passwords. I cranked up the firewall to max, turned off his airport card.

Everything seemed ok then on Sunday I got a call saying he received an email (to his new address he had not even told anyone about yet), from his old email account saying 'Ha!'.

What the hell is going on?

I think because of the new passwords and stuff they can no longer mess with his accounts, but to get his new email address without him telling anyone about it is freaky!

Oh and his Facebook page has completely vanished!

[angelwatt]

At this point you may want to get the authorities involved along with the owners of Facebook and Hotmail to see if they can aid in this. I doubt the Mac is the weak link here since you've wiped it. The network is likely the weak link, but I'm not sure how to advise troubleshooting over a forum.